Four Ways to Protect Your Backups from Ransomware Attacks

Backups are a last defense and control from having to pay ransom for encrypted data, but they need protection also.This year ransomware has been rampant targeting every industry. Two highlight attacks, WannaCry and NotPetya, have caused, in excess, hundreds of millions in losses. Naturally, cybercriminals continue to rapidly increase ransomware attacks as they are effective.

Good Backups and Effective Recovery

Proactive, not reactive, organizations have choices when it comes to ransomware. The most reliable defense against ransomware continues to be good backups and well-tested restore processes. Companies that regularly back up their data and are able to quickly detect a ransomware attack have the opportunity to restore and minimize disruption.

In some less common cases, we see wiper malware like NotPetya imitating Petya ransomware delivering a similar ransom message. In this case, the victims are not able to recover their data even with paying a ransom, which makes the ability to restore from good backups even more critical.

Clever Attackers Target Backups

Because good backups are so effective, attackers, including nation-state agents, behind ransomware are now targeting the backup processes and tools themselves. Several forms of ransomware, such as WannaCry and the newer variant of CryptoLocker, delete the shadow volume copies created by Microsoft’s Windows OS. Shadow copies are an easy method Microsoft Windows offers for easy recovery. On Macs, attackers targeted backups from the outset. Researchers discovered deficient functions in the first Mac ransomware back in 2015 that targeted disks used by the Mac OS X’s automated backup process called Time Machine.

The scheme is straightforward: Encrypt the backup to cut off organizational control over ransomware and they are likely to pay the ransom. Cybercriminals are increasing their efforts and aim to destroy the backups as well. Here are four recommendations to help organizations safe guard their backups against ransomware attempts.

One: Develop visibility into your backup process

The more quickly an organization can discover a ransomware attack, the better chances that business can avoid significant corruption of data. Data from the backup process can serve as an early warning of ransomware infections. Your backup log will show signs of a program that instantly encrypts data. Incremental backups will abruptly “blow up” as each file is effectively changed, and the encrypted files cannot be compressed or deduplicated.

Monitoring essential metrics like capacity utilization from the backups everyday will help organizations detect when ransomware has infiltrated an internal system and minimize the damage from the attack.

Two: Be wary using network file servers and online sharing services

Network file servers are easy to use and always available, which are two characteristics why network-accessible “home” directories are a well-liked method to centralize data and simplify backup. Yet, when presented with ransomware, this data architecture holds several critical security weaknesses. Many ransomware programs encrypt connected drives, so the target’s home directory would also be encrypted. Any server that runs on a commonly targeted and vulnerable operating system like Windows could also be infected; thus, every user’s data would be encrypted.

Any organization with a network file server must continuously back up the data to a separate system or service, and test the systems restore functionality introduced with ransomware specifically.

Cloud file services are also vulnerable to ransomware. A highlight example is the 2015 Children in Film ransomware attack. Children in Film, a business providing information for child actors and their parents, used the cloud extensively including a common cloud drive. According to KrebsOnSecurity, in less than 30 minutes after an employee clicked on a malicious email link, over four thousand files in the cloud were encrypted. Thankfully, the business’s backup provider was able to restore all of their files, but it took upwards of a week to do so.

Subject to whether the cloud service delivered incremental backups or easily managed file histories, recovery of data in the cloud could pose more difficult than an on-premises server.

Three: Test your recovery processes frequently

Backups are worthless unless you have the ability to recover both reliably and quickly. Organizations can have backups but still be forced to pay the ransom, because the backup schedule failed to perform backups with sufficient granularity, or they were not backing up the intended data. For example, Montgomery County, Alabama was forced to pay a ransom to retrieve their $5 million in data as a result of difficulties with their backup files unrelated to the ransomware.

Part of testing the recovery process is determining the window of data loss. Organizations that do an entire backup every week can potentially lose up to a week of data should it need to recover after its last backup. Performing daily or hourly backups significantly increases the level of protection. More granular backups and detecting ransomware events as early as possible are both key to preventing loss.

Four: Understand your solution options

If ransomware can access backup images directly, it will be almost impossible to prevent the attack from encrypting corporate backups. For that reason, a backup system engineered to abstract the backup data will stop ransomware in its tracks from encrypting historical data.

The process of separating backups from your standard operating environment and ensuring the process doesn’t run on a general-purpose server and operating system, can harden backups against attack. Backup systems running on the most targeted operating system, Microsoft Windows, are prone to attack and are much more difficult to protect from ransomware.

Ultimately, organizations must seek to detect ransomware attacks early with monitoring or anti-malware measures, use of purpose-built systems for separation between backup data and a potentially compromised system, and continuously tested backup and restore processes to ensure data is effectively protected. This approach will preserve backups from ransomware attacks and reduce the risk of losing data in the event of an infection.

About the author: Rod Mathews is the SVP & GM, Data Protection Business for Barracuda. He directs strategic product direction and development for all data protection offerings, including Barracuda's backup and archiving products and is also responsible for Barracuda’s cloud operations team and infrastructure.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.